I wish to understand the security hole

2001-07-24
2003-04-10
  • Dinosane M. Moreira

    Hi,
    "the if()
    clause around $_PHPLIB['libdir'] assignment will allow a remote attacker to
    provide their own libdir (which can be remote), essentially allowing any
    person to inject any PHP code from anywhere into "
    Nathan Hruby

    Sorry, but I could figure out HOW this is possible!  The code is just

    if (!is_array($_PHPLIB)) {
      $_PHPLIB["libdir"] = "/home/httpd/php/";
    }

    Could anyone explain me this?

     
    • nathan hruby

      nathan hruby - 2001-07-24

      Sure..

      The default in php it for fopen & friends to allow have network acess, making it possible for fopen, fgets, include and require to make network connections and retrive remote files.  In the context of include / require this means that the retrived code will be evaluated for php start and end tags.  If they are found, everytiuhg between these tags will be evaluated as php.

      Now, if a craker would like access to your db or system, all they need to do is craft a set of PHPLib libraries that do whatever they want.  After that they can go to any affected site and simply supply a new value for $_PHPLIB['libdir'] via  GET string.  If register_globals is on (most likely it is) then that GET string will be evaluated and placed in the global environemtn.  prepend.php3 will not initaliaze the variable becasue the if() clause says "If the variable *isn't* an array, the init it.  by the attacker has already casued it to be an array, containing his own code.

      make sense?

       
    • Anonymous - 2003-04-10

      register global is EVIL. I turn it off, and php libraries that stop working, I remove and do without. I also complain MANY times to the newsgroup for that library. to make sure that your site is safe from this attack, you can do look at some of the settings in this section out of my .htaccess file:
      -----------
      #----------- Files/Directories to ingore -----------------------
      IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* passwords

      #----------- HTTP Retrieval Limitations ------------------------
      <Limit GET POST>
      order deny,allow
      deny from all
      allow from all
      </Limit>

      <Files .* >
      order deny,allow
      Deny From All
      </Files>

      <Files _* >
      order deny,allow
      Deny From All
      </Files>

      <Files ~* >
      order deny,allow
      Deny From All
      </Files>

      <Files *.inc >
      order deny,allow
      Deny From All
      </Files>

      <Files *.conf >
      order deny,allow
      Deny From All
      </Files>

      #----------- NO Modifications to Site Via HTTP -----------------
      <Limit PUT DELETE>
      order deny,allow
      deny from all
      </Limit>

      #----------- PHP Configuration for Security --------------------
      php_flag track_vars            1
      php_flag register_globals      0

      # ENABLE IF NEEDED
      php_flag allow_url_fopen       0
      php_flag magic_quotes_runtime  0
      php_flag magic_quotes_gpc      0
      php_flag magic_quotes_sybase   0

      # ENABLE THIS FOR TROUBLE SHOOTING
      php_value display_errors       1
      php_value log_errors           1

      # ENABLE IF NEEDED
      php_flag enable_dl             0

      # ENABLE IF NEEDED
      php_flag file_uploads          0
      php_value open_basedir         "/home/virtual/eventradar.com/home/gearond/mainwebsite_html/"

      ########## BEGIN STYLE ALLOW SECTION ###################################

      php_flag short_open_tag        0
      php_flag asp_tags              0

      ########## BEGIN SITE CONFIGURATION ####################################

      php_value include_path ".:/"
      php_value auto_prepend_file ""
      php_value error_log         ""

      I have errors on because this is a dev site protected by standard HTML Auth, and no one else is using the site. If it was a publically used site, I would not have errors turned on giving away path names.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks